As I understand SSL, the packet headers remain unencrypted , the content is encrypted. Hence the ability of routers throughout the Internet to route SSL packets.
----- Original Message ----- From: "Aryeh Katz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 27, 2002 05:23 Subject: Re: Reverse Proxy https question > I don't understand something. > If the Apache proxy server is not going to decrypt the packets, how will it know where to send it? > Aryeh > > I am trying to Reverse ProxyHTTPS connections in the following > > manner: > > > > CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, > > posing as secure-site.com (non-ssl, non-decrypting, just passing the > > https through) -> Sonicwall SSL Accelerator (a stand-alone HW device > > for SSL decryption/encryption, hosting the certificate forsecure- > > site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL) > > > > The purpose for this design is to keep the webserver behind a layer of > > switches (for VLANS and ACLS) and Cisco Content Servers (which act as > > a router and load balancer) and keep the Apache proxy server as the > > "edge presence" of the website. > > > > What happens with this configuration is: > > 1) The client browser connects to the Apache proxy > > 2) The Apache proxy server connects to the SSL accelerator with HTTPS > > sucessfully, as seen in the debug-level Apache log files. 3) The > > browser waits, waits and waits... 4) The Apache proxy sits, sits and > > sits. 5) The Webserver DOES see the non-ssl connection. The > > information in the access log is: > > "Client IPAddress- - [25/Jun/2002:17:04:18 -0700] "?L / > > HTTP/1.0" 302 0 " > > 5) Eventually the client browser gives up and times out. > > > > If I install the certificate for secure-site.com on the Apache > > reverse proxy server and enable SSL, then the Apache reverse proxy > > will connect with SSL to both the browser and the downstream > > webserver. This works, but is pointless as it loads the Proxy server's > > CPU with SSL encryption/decryption. That's what we have the SSL > > accelerators for. > > > > > > What is missing in my config? Is this setup even possible? > > Any comments? > > > > Thanks in advance. > > > > -Michael > > > > > > -------------- > > > > > > This is the Apache config I am using: > > ---------- > > Listen IPAddress:443 > > LogLevel debug > > <VirtualHost IPAddress:443> > > SSLProxyEngine On > > ServerName web-site > > ProxyPass / https://secure-site.com > > ProxyPassReverse / https://secure-site.com > > </VirtualHost> > > > > > > ------------ > > Server version: Apache/2.0.39 > > Server built: Jun 25 2002 16:11:49 > > > > ----------- > > Compiled in modules: > > core.c > > mod_access.c > > mod_auth.c > > mod_include.c > > mod_log_config.c > > mod_env.c > > mod_setenvif.c > > mod_proxy.c > > proxy_connect.c > > proxy_ftp.c > > proxy_http.c > > mod_ssl.c > > prefork.c > > http_core.c > > mod_mime.c > > mod_status.c > > mod_autoindex.c > > mod_asis.c > > mod_cgi.c > > mod_negotiation.c > > mod_dir.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_so.c > > > > > > > > > --- > Aryeh Katz > VASCO > www.vasco.com > > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
